Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero
- Thread starter MacRumors
- Start date
- Sort by reaction score
are you referring to this? http://www.slashgear.com/google-junk-windows-after-security-breach-0187726/
or is there something more recent?
Why you mad when they're helping to improve the security of your products for free? It's no different than another car manufacturer pointing out a safety defect in your car. You should be thankful.
Google isn't publishing all issues with operating systems, only security-related ones. Maybe they're fixing the security issues within the 90 days.
And if Apple and Microsoft think that Google is doing this simply as a "gotcha", then there is nothing stopping either of them from doing the same towards Android and ChromeOS.
Oh yes, I remember that. As it happens though, I dont mind betting that the moaners had set their Mac up that way and forgotten about it.
This is not the fault of Apple.
What is their fault is if they install without permission, there is a difference.
Attachments
Huh. I was thinking that it was odd they were doing QA work for Apple for *free*. I don't see the downside of this. If they want to divert their resources to make Apple's OS better, then god go with them, brother.
Lol, if for example Ford was pointing out safety defects in other competing manufacturer's cars it would absolutely come across as dirty.
You'd think they'd be better off fixing the numerous security flaws found in Android but, apparently, Google doesn't deem them important enough to bother fixing.
The dirty part is that they don't seem as willing to publish security holes in their own operating system, which there are plenty of. That makes this rather sanctimonious and just a big PR stunt.
----------
Google's doing this to be able to blow their own horn. So there's nothing "free" about this. It's marketing, nothing is free then.
I think the main point is to remove value from the zero-day vulnerability market.
Choosing to wait longer than 90 days to publicly expose a vulnerability does nothing but allow the vulnerabilities to remain on the black market for longer. Some of these have been known to sell for five digits.
If companies start taking this 90 day window more seriously, it will hopefully reduce value in the exploits that hackers purchase from black markets and make it more difficult to release worthwhile exploit kits.
Hard to read Google's "altruism" as genuine given all the acrimony between them and Apple.......just hope that Apple gets on it now and resolves the issues.
Methinks Google should focus more on fixing its own problems in the various flavors of Android first rather than try to 'help' its competitors.........
Methinks Google should focus more on fixing its own problems in the various flavors of Android first rather than try to 'help' its competitors.........
You want dirty? Kevin Mitnick now runs a security firm which will pay for zero day exploits and then sell them to the highest bidder or the company which they're related to.
I don't see an issue with making a company aware of their security issues and then exposing them publicly if they don't act on them for 90 days.
Firefox has had more than 1500 documented bugs for years. One of their head developers left because they were more interested in releasing next version after next version than fixing the problems with the current version. Maybe releasing info on these things will help to make companies act quicker to fix them.
Apple didn't fix the flaws they've known about for 90 days
Thanks to google for making them do it
Thanks to google for making them do it
This is questionable, first because it suppose that the particular vulnerably has already been exposed and is actively used. Secondly, last week (I think) Microsoft asked Google for some more time so they could get their path done in time. Google's response: no sorry. A published unpatched issue is clearly much worse, and there is absolutely nothing you as a user can do about it.
I remember reading about this yesterday...
This is hardly that big of a threat seeing as all of the vulnerabilities require physical access to the victim machine, one of them has already been fixed, one requires admin privileges to work and the third only causes memory corruption (so it's only useful for vandalism).
This is hardly that big of a threat seeing as all of the vulnerabilities require physical access to the victim machine, one of them has already been fixed, one requires admin privileges to work and the third only causes memory corruption (so it's only useful for vandalism).
I love this.
Apple is sometimes not that quick to patch security holes, and the prospect of being embarrassed by Google must light a fire under their feet.
90 days is plenty of time. If it really takes Apple more than 90 days to fix a security issue, they need to fix their process or priorities.
Malicious hackers may very well already know about the holes and be exploiting them, so it's not better to take a lot of time.
Is it better to assume the vulnerability isn't on the black market?
90 days isn't an unreasonably short period of time. If MS really needs more time than that, the answer is for MS to improve it's process for fixing vulnerabilities and make it a higher priority. If Google will back off every time MS (or Apple or whomever) wants more time, the incentive for MS (or Apple or whomever) to improve or prioritize fixing these issues is reduced. Ultimately, that's going to help malicious hackers and hurt everyone else.
Apple is sometimes not that quick to patch security holes, and the prospect of being embarrassed by Google must light a fire under their feet.
90 days is plenty of time. If it really takes Apple more than 90 days to fix a security issue, they need to fix their process or priorities.
Malicious hackers may very well already know about the holes and be exploiting them, so it's not better to take a lot of time.
Is it better to assume the vulnerability isn't on the black market?
90 days isn't an unreasonably short period of time. If MS really needs more time than that, the answer is for MS to improve it's process for fixing vulnerabilities and make it a higher priority. If Google will back off every time MS (or Apple or whomever) wants more time, the incentive for MS (or Apple or whomever) to improve or prioritize fixing these issues is reduced. Ultimately, that's going to help malicious hackers and hurt everyone else.
Last edited:
Google ignores such requests. When the 90 days is up, the vulnerability goes public. They've already demonstrated this. They are drawing a hard line in the sand with respect to the deadline.
they are zero day because they are released to the public before a fix exists. Google even provides test code for them (the black market). These are previously undiscovered issues uncovered by google's team that clearly apple had fixed in the 10.10.2 beta. If apple is a few days away (and microsoft has patch tuesday), then WAIT.
You cannot just change an OS release at the drop of a hat. They need testing.
No, but in relation to the grace period it doesn't matter I don't think.
Maybe not, but it would depend on the complexity of the bug I suppose. But the bottom line here is what's worse, pushing the deadline a head, or expose an unpatched vulnerability? Why is it Google's job to make demands and why aren't they investigating and publishing security flaws in their own products.
A "bug" doesn't always equal an "exploitable vulnerability". There are many different kinds of bugs, and some are rather benign and harmless. How many of those 1500 bugs were of grave concern to the Facebook dev team? How many put the users of Firefox at risk?
